If there is no authentication cookie, redirects the request to a logon page to collect credentials. Information about the originating page is placed in the query string using RETURNURL as the key. The server HTTP reply is:

Validates user credentials and, if the credentials are authenticated, redirects the browser to the original URL specified in the QueryString as the RETURNURL variable. By default, the authentication ticket is issued as a cookie.

Note:

You can specify that the authentication ticket be included in the URL instead of a cookie using the CookieMode property.

If the user is authenticated, grants access and grants the authentication cookie, which contains an authentication ticket. Future requests by the same browser session will be authenticated when the module inspects the cookie. It is possible to create a persistent cookie that can be used for future sessions, but only until the cookie's expiration date. The server HTTP reply is:

Note that the cookie path is set to /. Because cookie names are case-sensitive, this prevents inconsistent case in URLs on the site. For example, if the path were set to /SavingsPlan and a link contained /savingsplan, the user would be forced to re-authenticate because the browser would not send the cookie.